roles/named: Implement response policy zones
BIND response policy zones (RPZ) support provides a mechanism for overriding the responses to DNS queries based on a wide range of criteria. In the simplest form, a response policy zone can be used to provide different responses to different clients, or "block" some DNS names. For the Pyrocufflink and related networks, I plan to use an RPZ to implement ad/tracker blocking. The goal will be to generate an RPZ definition from a collection of host lists (e.g. those used by uBlock Origin) periodically. This commit introduces basic support for RPZ configuration in the *named* role. It can be activated by providing a list of "response policy" definitions (e.g. `zone "name"`) in the `named_response_policy` variable, and defining the corresponding zones in `named_zones`.
This commit is contained in:
@@ -7,6 +7,8 @@ named_listen_v6:
|
||||
named_allow_query:
|
||||
- any
|
||||
named_dnssec_validation: false
|
||||
named_response_policy:
|
||||
- zone "blackhole.rpz"
|
||||
|
||||
pyrocufflink_common_zones:
|
||||
- zone: pyrocufflink.blue
|
||||
@@ -58,4 +60,4 @@ pyrocufflink_common_zones:
|
||||
- 192.168.20.146
|
||||
- 192.168.20.147
|
||||
|
||||
named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones }}'
|
||||
named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones + rpz_zones }}'
|
||||
|
||||
Reference in New Issue
Block a user